* added support for storing EAP user password as NtPasswordHash instead
of plaintext password when using MSCHAP or MSCHAPv2 for
authentication (hash:<16-octet hex value>); added nt_password_hash
tool for hashing password to generate NtPasswordHash

Some notes:

Using a different password is not an option, as I have no control over this network (this is a corporate network, and a single username/password is used to access all services, including connecting to the Wifi).

85757: store-password-as-hash-in-wpa-supplicant-conf is very similar to this question, but was (incorrectly) closed as a duplicate of 74500; unfortunately, the answers given to the purported duplicate are specific to PAP, and do not apply to the MSCHAP-v2 case. 85757 itself has an answer claiming that it's essentially impossible regardless of the protocol, but the justification is invalid1

1 That anser claims that using a hashed password means that the hash becomes the password. This is technically true, but at least the hash is a wifi-only password, which is significant progress over leaking a shared password granting access to multiple services.

2 Answers
2

You can generate the NtPasswordHash (aka NTLM password hash) yourself as follows:

echo -n plaintext_password_here | iconv -t utf16le | openssl md4

Prefix it with "hash:" in the wpa_supplicant.conf file, i.e.

password=hash:6602f435f01b9173889a8d3b9bdcfd0b

On macOS the iconv code is UTF-16LE

echo -n plaintext_password_here | iconv -t UTF-16LE | openssl md4

Note that you don't gain much security. If an attacker finds the file with the hash, then they can trivially join the network (the same way your computer does), so having hashed the password doesn't help at all. If the password is used anywhere else, then the attacker would have to use brute force to find the original password (i.e. try the most likely passwords and calculate their hash until they find a match). Since you can calculate about 1 billion hashes per second on an ordinary PC, that's not a big hurdle, and attackers can easily use precomputed tables since the hash is unsalted. NTML is really horrible as a password hash.

Just to clarify: I do get a MSCHAPV2: password hash - hexdump line in the failing debug trace, which is encouraging (the non-encrypted one has a MSCHAPV2: password - hexdump_ascii line instead), but connection fails
– ClémentApr 25 '16 at 23:50

1

@Clément Just to make sure the right hash is being generated: the above command executed on your system does calculate the same hash as this online calculator, right?
– GuidoApr 26 '16 at 11:45

1

This doesn't work if the password is longer than 14 characters.
– tjohnsonNov 27 '17 at 19:23

1

@Alden Very cheap. There's no way to go back directly from the hash to the input, but you can try a lot of possible passwords and calculate their hashes until you find the matching one. MD4 is very fast, 1 billion in 2 seconds with a 6-year old GPU.
– GillesMay 31 '18 at 6:24

Sorry if the post didn't make it clear: this is exactly the solution in the first non-duplicate that I listed. There is no pre-shared key in the configuration that I'm asking about.
– ClémentApr 25 '16 at 22:22

1

this may not be the specific question being asked for, but it helped me solved my problem. Thank you.
– ifelsemonkeyMay 31 '18 at 0:44